Calpine, an independent power producer with 102 sites across the country, is required to conduct network compliance audits for regulators. Nearly a year ago, however, Calpines infrastructure engineering manager, Sean Curry, realized there was way too much firewall data for his team to track.
“Each of our six firewalls were generating 60GB of log data, about 2,200 events per second per day,” Curry said. “Wed lock it to the Unix server to flat file, and then wed compress it and roll it off. We had to sift through terabytes of data, and we couldnt file a report for two weeks. That wasnt good enough. We couldnt see anything in those logs even though we had the data.”
Curry said that he and his IT staff could have created a solution in-house. But Calpines IT department has a policy to treat information technology as a commodity and seek outside help whenever possible.
“If someone outside the company has expertise that could help us solve a problem, we dont want to reinvent the wheel,” Curry said. “If its not an industry-specific technology problem—and this was more of a common technology problem—we dont want to solve the problem over and over.”
Curry collaborated with Todd Wiederstein, an account manager at Accudata Systems Inc., a Houston-based data solutions company, and purchased a Network Intelligence Corp. Network Intelligence Engine HA appliance. Curry said he chose Accudata over several solutions integrators for two reasons. First, Accudata offered a sound solution to Calpines problem. Second, and just as important, Curry and his staff had worked with Accudata on previous projects and were comfortable with the company.
“We knew they did good work, and we had worked well together in the past,” Curry said.
Network Intelligences Engine HA provided a cost-effective solution that collected and managed the firewall data and allowed Curry to quickly create meaningful network usage reports.
“Calpine had a tremendous amount of reportable data, but the reporting module wasnt digested,” said Wiederstein. “It was like an entire phone book that was out of order. With the Network Intelligence box, you can identify the most important aspects of the data. If theres an attempt to log in to your network by a hacker, it wont go unnoticed.”
Curry manages security, networking and applications for Calpine, which is based in San Jose, Calif. The company produces and sells power to major energy consumers, such as oil refineries and large retailers.
To manage 60GB of log data each day, Curry and his team would compress the data every other night and then erase it on a weekly basis. This placed a huge strain on company IT resources and was at odds with security and compliance best practices. Curry was even unable to produce acceptable-use reports to show what Calpine employees were viewing on the Internet.
“Wed conduct internal audits, and wed get hit for not analyzing the information,” said Curry. “For example, we never knew whether the database administrators were abusing their network privileges.”
To appease external auditors, Calpine would hire five or six system administrators on a six-month contract to pull and read the log data. At $65 per hour per administrator, the costs added up for Currys department. And when the Northeastern portion of the United States experienced a power blackout a few years back, auditors subsequently required Calpine to file a report that Curry admits provided no insight.
“We had no analysis on the data,” Curry said. “We just provided raw data. They werent too pleased.” Thats when Curry said he decided to make a change.
Next page: Network Intelligences Engine HA institutes some ch-ch-changes.
Network Intelligences Engine HA
Institutes Some Ch-ch-changes”>
Curry brought in five vendors in search of a solution to his companys log problem. After listening to Wiedersteins advice, he chose Network Intelligence, of Westwood, Mass.
“The other vendors needed lots of systems to keep up with all our events,” said Curry. “And they were very expensive, as well.”
Network Intelligences Engine HA cost Calpine approximately $30,000, said Curry.
The appliance scales as low as $20,000 to collect 500 eps (events per second), said Jim Melvin, Network Intelligences executive vice president for marketing and business development.
“Our product is unique in that its an appliance-based product that fits into the security information and event management space,” Melvin said. “Many of our customers come to us after failing an audit. More likely theyve recently had an audit, but the cost and processes were overwhelming.”
Melvin said that Network Intelligences competitors offer software-based products that filter but dont collect log data.
“What we see happening right now is customers are just starting to figure the impact of todays compliance issues,” Melvin said. “We had Gartner [Inc.] on a [Web seminar] with us recently, and they said companies that solve compliance issues on a one-off instance can spend 10 times more than running a compliance product like ours. By collecting data, you can scale this out to handle a number of reports.”
Network Intelligences Engine HA is a single-unit product that was so easy to install that it started logging Calpines data just two days after purchase, Curry said. The engine stores uncommon data and provides trend analysis reports. Calpine uses the Network Intelligence product for all compliance reporting, including that involving the Sarbanes-Oxley Act and the trading regulations for the Calpine Energy Services trading platform.
“We loved it; you have visibility across the entire enterprise,” said Curry. “Our external and internal auditors come in and they dont have to tie up our system administrators time pulling reports from servers or logs. We just sit the auditor in front of the reporting interface, and they can see canned reports. We also taught them how to pull their own reports.”
Wiederstein said Curry was initially skeptical that Network Intelligences Engine HA would work well. “When youre being overwhelmed and the consultant says, I have the silver bullet, its a little hard to believe,” said Wiederstein. To win Currys support, Wiederstein installed the Network Intelligence appliance before purchasing so that Curry could see it operate on Calpines network.
An unexpected bonus
The network intelligence product ran so well that, after it was up and running, Curry said he wondered whether he could apply it to other areas of his department. As the person responsible for server infrastructure oversight, both Unix and Windows, Curry realized this section of his department had the same problem—an inability to correlate information or report on users activity. “Theyd have to look at 30 logs, and that was too much,” he said.
So Curry directed all Calpines Unix and Window servers, not to mention its switches, IS/IP, DoS (denial of service) prevention and firewalls, corporate NAT (Network Address Translation) routers and financial systems to report to Network Intelligences Engine HA. The appliance currently handles as many as 6,000 eps.
“If I could do it all over again, I would probably start logging earlier with the entire system,” said Curry, adding that there are some functionalities to the product that Calpine still doesnt use.
“The functionality of the Network Intelligence product was communicated, but Calpine had such a heavy requirement upfront that it sold the box, and he didnt look at its other possibilities,” said Wiederstein. “Beyond that initial problem, he revisited these other functionalities.”
Curry cautioned that Network Intelligences Engine HA is not for every company. “You need to analyze what youre logging and why you want it,” he said. “But if you have an auditing requirement—and we do because of our requirements with our different regulatory bodies—its a sound investment. If not, you could end up spending a lot of money on firewall logging without using all the bells and whistles.”
Wiederstein echoed Currys comments. “Its always important to take a hard look at your business requirements,” he said. “So many times you get focused on solving a current issue as opposed to actually planning for those bigger concerns. Thats where the Network Intelligence engine came in.”
Ira Apfel is a freelance writer in Bethesda, Md. Contact him atiapfel@yahoo.com.
Check out eWEEK.coms for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.